8 files changed, 107 insertions, 41 deletions
diff --git a/libpod/oci_conmon_exec_linux.go b/libpod/oci_conmon_exec_linux.go
index f8e7020f7..4546acefb 100644
--- a/libpod/oci_conmon_exec_linux.go
+++ b/libpod/oci_conmon_exec_linux.go
@@ -387,7 +387,7 @@ func (r *ConmonOCIRuntime) startExec(c *Container, sessionID string, options *Ex
 		finalEnv = append(finalEnv, fmt.Sprintf("%s=%s", k, v))
 	}
 
-	processFile, err := prepareProcessExec(c, options.Cmd, finalEnv, options.Terminal, options.Cwd, options.User, sessionID)
+	processFile, err := prepareProcessExec(c, options, finalEnv, sessionID)
 	if err != nil {
 		return nil, nil, err
 	}
diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
index c99086b33..199b40097 100644
--- a/libpod/oci_conmon_linux.go
+++ b/libpod/oci_conmon_linux.go
@@ -1185,26 +1185,33 @@ func (r *ConmonOCIRuntime) createOCIContainer(ctr *Container, restoreOptions *Co
 
 // prepareProcessExec returns the path of the process.json used in runc exec -p
 // caller is responsible to close the returned *os.File if needed.
-func prepareProcessExec(c *Container, cmd, env []string, tty bool, cwd, user, sessionID string) (*os.File, error) {
+func prepareProcessExec(c *Container, options *ExecOptions, env []string, sessionID string) (*os.File, error) {
 	f, err := ioutil.TempFile(c.execBundlePath(sessionID), "exec-process-")
 	if err != nil {
 		return nil, err
 	}
 	pspec := c.config.Spec.Process
 	pspec.SelinuxLabel = c.config.ProcessLabel
-	pspec.Args = cmd
+	pspec.Args = options.Cmd
+	for _, cap := range options.CapAdd {
+		pspec.Capabilities.Bounding = append(pspec.Capabilities.Bounding, cap)
+		pspec.Capabilities.Effective = append(pspec.Capabilities.Effective, cap)
+		pspec.Capabilities.Inheritable = append(pspec.Capabilities.Inheritable, cap)
+		pspec.Capabilities.Permitted = append(pspec.Capabilities.Permitted, cap)
+		pspec.Capabilities.Ambient = append(pspec.Capabilities.Ambient, cap)
+	}
 	// We need to default this to false else it will inherit terminal as true
 	// from the container.
 	pspec.Terminal = false
-	if tty {
+	if options.Terminal {
 		pspec.Terminal = true
 	}
 	if len(env) > 0 {
 		pspec.Env = append(pspec.Env, env...)
 	}
 
-	if cwd != "" {
-		pspec.Cwd = cwd
+	if options.Cwd != "" {
+		pspec.Cwd = options.Cwd
 
 	}
 
@@ -1212,6 +1219,7 @@ func prepareProcessExec(c *Container, cmd, env []string, tty bool, cwd, user, se
 	var sgids []uint32
 
 	// if the user is empty, we should inherit the user that the container is currently running with
+	user := options.User
 	if user == "" {
 		user = c.config.User
 		addGroups = c.config.Groups
diff --git a/pkg/api/handlers/compat/containers.go b/pkg/api/handlers/compat/containers.go
index 7a3e5dd84..0f89c859e 100644
--- a/pkg/api/handlers/compat/containers.go
+++ b/pkg/api/handlers/compat/containers.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"sort"
 	"strconv"
 	"strings"
 	"syscall"
@@ -13,6 +14,8 @@ import (
 	"github.com/containers/podman/v2/libpod/define"
 	"github.com/containers/podman/v2/pkg/api/handlers"
 	"github.com/containers/podman/v2/pkg/api/handlers/utils"
+	"github.com/containers/podman/v2/pkg/domain/filters"
+	"github.com/containers/podman/v2/pkg/ps"
 	"github.com/containers/podman/v2/pkg/signal"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
@@ -78,10 +81,6 @@ func RemoveContainer(w http.ResponseWriter, r *http.Request) {
 }
 
 func ListContainers(w http.ResponseWriter, r *http.Request) {
-	var (
-		containers []*libpod.Container
-		err        error
-	)
 	runtime := r.Context().Value("runtime").(*libpod.Runtime)
 	decoder := r.Context().Value("decoder").(*schema.Decoder)
 	query := struct {
@@ -97,22 +96,48 @@ func ListContainers(w http.ResponseWriter, r *http.Request) {
 		utils.Error(w, "Something went wrong.", http.StatusBadRequest, errors.Wrapf(err, "failed to parse parameters for %s", r.URL.String()))
 		return
 	}
-	if query.All {
-		containers, err = runtime.GetAllContainers()
-	} else {
-		containers, err = runtime.GetRunningContainers()
+
+	filterFuncs := make([]libpod.ContainerFilter, 0, len(query.Filters))
+	all := query.All || query.Limit > 0
+	if len(query.Filters) > 0 {
+		for k, v := range query.Filters {
+			generatedFunc, err := filters.GenerateContainerFilterFuncs(k, v, runtime)
+			if err != nil {
+				utils.InternalServerError(w, err)
+				return
+			}
+			filterFuncs = append(filterFuncs, generatedFunc)
+		}
 	}
+
+	// Docker thinks that if status is given as an input, then we should override
+	// the all setting and always deal with all containers.
+	if len(query.Filters["status"]) > 0 {
+		all = true
+	}
+	if !all {
+		runningOnly, err := filters.GenerateContainerFilterFuncs("status", []string{define.ContainerStateRunning.String()}, runtime)
+		if err != nil {
+			utils.InternalServerError(w, err)
+			return
+		}
+		filterFuncs = append(filterFuncs, runningOnly)
+	}
+
+	containers, err := runtime.GetContainers(filterFuncs...)
 	if err != nil {
 		utils.InternalServerError(w, err)
 		return
 	}
 	if _, found := r.URL.Query()["limit"]; found && query.Limit > 0 {
-		last := query.Limit
-		if len(containers) > last {
-			containers = containers[len(containers)-last:]
+		// Sort the libpod containers
+		sort.Sort(ps.SortCreateTime{SortContainers: containers})
+		// we should perform the lopping before we start getting
+		// the expensive information on containers
+		if len(containers) > query.Limit {
+			containers = containers[:query.Limit]
 		}
 	}
-	// TODO filters still need to be applied
 	var list = make([]*handlers.Container, len(containers))
 	for i, ctnr := range containers {
 		api, err := LibpodToContainer(ctnr, query.Size)
diff --git a/pkg/api/handlers/compat/resize.go b/pkg/api/handlers/compat/resize.go
index bdc051d73..cc8c6ef0a 100644
--- a/pkg/api/handlers/compat/resize.go
+++ b/pkg/api/handlers/compat/resize.go
@@ -20,8 +20,8 @@ func ResizeTTY(w http.ResponseWriter, r *http.Request) {
 
 	// /containers/{id}/resize
 	query := struct {
-		height uint16 `schema:"h"`
-		width  uint16 `schema:"w"`
+		Height uint16 `schema:"h"`
+		Width  uint16 `schema:"w"`
 	}{
 		// override any golang type defaults
 	}
@@ -33,8 +33,8 @@ func ResizeTTY(w http.ResponseWriter, r *http.Request) {
 	}
 
 	sz := remotecommand.TerminalSize{
-		Width:  query.width,
-		Height: query.height,
+		Width:  query.Width,
+		Height: query.Height,
 	}
 
 	var status int
diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
index 0c97dc496..d3cbac76e 100644
--- a/pkg/specgen/generate/security.go
+++ b/pkg/specgen/generate/security.go
@@ -172,7 +172,7 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 
 	// Clear default Seccomp profile from Generator for unconfined containers
 	// and privileged containers which do not specify a seccomp profile.
-	if s.SeccompProfilePath == "unconfined" || (s.Privileged && (s.SeccompProfilePath == config.SeccompOverridePath || s.SeccompProfilePath == config.SeccompDefaultPath)) {
+	if s.SeccompProfilePath == "unconfined" || (s.Privileged && (s.SeccompProfilePath == "" || s.SeccompProfilePath == config.SeccompOverridePath || s.SeccompProfilePath == config.SeccompDefaultPath)) {
 		configSpec.Linux.Seccomp = nil
 	}
 
diff --git a/test/apiv2/20-containers.at b/test/apiv2/20-containers.at
index bc6efc20d..decdc4754 100644
--- a/test/apiv2/20-containers.at
+++ b/test/apiv2/20-containers.at
@@ -203,6 +203,15 @@ t GET 'containers/json?limit=0&all=1' 200 \
   .[0].Id~[0-9a-f]\\{64\\} \
   .[1].Id~[0-9a-f]\\{64\\}
 
+t GET containers/json?limit=2 200 length=2
+
+# Filter with two ids should return both container
+t GET "containers/json?filters=%7B%22id%22%3A%5B%22${cid}%22%2C%22${cid_top}%22%5D%7D&all=1" 200 length=2
+# Filter with two ids and status running should return only 1 container
+t GET "containers/json?filters=%7B%22id%22%3A%5B%22${cid}%22%2C%22${cid_top}%22%5D%2C%22status%22%3A%5B%22running%22%5D%7D&all=1" 200 \
+  length=1 \
+  .[0].Id=${cid_top}
+
 t POST containers/${cid_top}/stop "" 204
 
 t DELETE containers/$cid 204
diff --git a/test/e2e/exec_test.go b/test/e2e/exec_test.go
index f61f52589..18737105e 100644
--- a/test/e2e/exec_test.go
+++ b/test/e2e/exec_test.go
@@ -119,6 +119,21 @@ var _ = Describe("Podman exec", func() {
 		Expect(session.ExitCode()).To(Equal(100))
 	})
 
+	It("podman exec --privileged", func() {
+		hostCap := SystemExec("awk", []string{"/^CapEff/ { print $2 }", "/proc/self/status"})
+		Expect(hostCap.ExitCode()).To(Equal(0))
+
+		setup := podmanTest.RunTopContainer("test-privileged")
+		setup.WaitWithDefaultTimeout()
+		Expect(setup.ExitCode()).To(Equal(0))
+
+		session := podmanTest.Podman([]string{"exec", "--privileged", "test-privileged", "sh", "-c", "grep ^CapEff /proc/self/status | cut -f 2"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+
+		containerCapMatchesHost(session.OutputToString(), hostCap.OutputToString())
+	})
+
 	It("podman exec terminal doesn't hang", func() {
 		setup := podmanTest.Podman([]string{"run", "-dti", "--name", "test1", fedoraMinimal, "sleep", "+Inf"})
 		setup.WaitWithDefaultTimeout()
diff --git a/test/e2e/run_privileged_test.go b/test/e2e/run_privileged_test.go
index 760de55b6..48f9ea76e 100644
--- a/test/e2e/run_privileged_test.go
+++ b/test/e2e/run_privileged_test.go
@@ -16,22 +16,22 @@ import (
 // know about at compile time. That is: the kernel may have more caps
 // available than we are aware of, leading to host=FFF... and ctr=3FF...
 // because the latter is all we request. Accept that.
-func containerCapMatchesHost(ctr_cap string, host_cap string) {
+func containerCapMatchesHost(ctrCap string, hostCap string) {
 	if isRootless() {
 		return
 	}
-	ctr_cap_n, err := strconv.ParseUint(ctr_cap, 16, 64)
-	Expect(err).NotTo(HaveOccurred(), "Error parsing %q as hex", ctr_cap)
+	ctrCap_n, err := strconv.ParseUint(ctrCap, 16, 64)
+	Expect(err).NotTo(HaveOccurred(), "Error parsing %q as hex", ctrCap)
 
-	host_cap_n, err := strconv.ParseUint(host_cap, 16, 64)
-	Expect(err).NotTo(HaveOccurred(), "Error parsing %q as hex", host_cap)
+	hostCap_n, err := strconv.ParseUint(hostCap, 16, 64)
+	Expect(err).NotTo(HaveOccurred(), "Error parsing %q as hex", hostCap)
 
 	// host caps can never be zero (except rootless).
 	// and host caps must always be a superset (inclusive) of container
-	Expect(host_cap_n).To(BeNumerically(">", 0), "host cap %q should be nonzero", host_cap)
-	Expect(host_cap_n).To(BeNumerically(">=", ctr_cap_n), "host cap %q should never be less than container cap %q", host_cap, ctr_cap)
-	host_cap_masked := host_cap_n & (1<<len(capability.List()) - 1)
-	Expect(ctr_cap_n).To(Equal(host_cap_masked), "container cap %q is not a subset of host cap %q", ctr_cap, host_cap)
+	Expect(hostCap_n).To(BeNumerically(">", 0), "host cap %q should be nonzero", hostCap)
+	Expect(hostCap_n).To(BeNumerically(">=", ctrCap_n), "host cap %q should never be less than container cap %q", hostCap, ctrCap)
+	hostCap_masked := hostCap_n & (1<<len(capability.List()) - 1)
+	Expect(ctrCap_n).To(Equal(hostCap_masked), "container cap %q is not a subset of host cap %q", ctrCap, hostCap)
 }
 
 var _ = Describe("Podman privileged container tests", func() {
@@ -68,38 +68,38 @@ var _ = Describe("Podman privileged container tests", func() {
 	})
 
 	It("podman privileged CapEff", func() {
-		host_cap := SystemExec("awk", []string{"/^CapEff/ { print $2 }", "/proc/self/status"})
-		Expect(host_cap.ExitCode()).To(Equal(0))
+		hostCap := SystemExec("awk", []string{"/^CapEff/ { print $2 }", "/proc/self/status"})
+		Expect(hostCap.ExitCode()).To(Equal(0))
 
 		session := podmanTest.Podman([]string{"run", "--privileged", "busybox", "awk", "/^CapEff/ { print $2 }", "/proc/self/status"})
 		session.WaitWithDefaultTimeout()
 		Expect(session.ExitCode()).To(Equal(0))
 
-		containerCapMatchesHost(session.OutputToString(), host_cap.OutputToString())
+		containerCapMatchesHost(session.OutputToString(), hostCap.OutputToString())
 	})
 
 	It("podman cap-add CapEff", func() {
 		// Get caps of current process
-		host_cap := SystemExec("awk", []string{"/^CapEff/ { print $2 }", "/proc/self/status"})
-		Expect(host_cap.ExitCode()).To(Equal(0))
+		hostCap := SystemExec("awk", []string{"/^CapEff/ { print $2 }", "/proc/self/status"})
+		Expect(hostCap.ExitCode()).To(Equal(0))
 
 		session := podmanTest.Podman([]string{"run", "--cap-add", "all", "busybox", "awk", "/^CapEff/ { print $2 }", "/proc/self/status"})
 		session.WaitWithDefaultTimeout()
 		Expect(session.ExitCode()).To(Equal(0))
 
-		containerCapMatchesHost(session.OutputToString(), host_cap.OutputToString())
+		containerCapMatchesHost(session.OutputToString(), hostCap.OutputToString())
 	})
 
 	It("podman cap-add CapEff with --user", func() {
 		// Get caps of current process
-		host_cap := SystemExec("awk", []string{"/^CapEff/ { print $2 }", "/proc/self/status"})
-		Expect(host_cap.ExitCode()).To(Equal(0))
+		hostCap := SystemExec("awk", []string{"/^CapEff/ { print $2 }", "/proc/self/status"})
+		Expect(hostCap.ExitCode()).To(Equal(0))
 
 		session := podmanTest.Podman([]string{"run", "--user=bin", "--cap-add", "all", "busybox", "awk", "/^CapEff/ { print $2 }", "/proc/self/status"})
 		session.WaitWithDefaultTimeout()
 		Expect(session.ExitCode()).To(Equal(0))
 
-		containerCapMatchesHost(session.OutputToString(), host_cap.OutputToString())
+		containerCapMatchesHost(session.OutputToString(), hostCap.OutputToString())
 	})
 
 	It("podman cap-drop CapEff", func() {
@@ -110,6 +110,15 @@ var _ = Describe("Podman privileged container tests", func() {
 		Expect("0000000000000000").To(Equal(capEff[1]))
 	})
 
+	It("podman privileged should disable seccomp by default", func() {
+		hostSeccomp := SystemExec("grep", []string{"-Ei", "^Seccomp:\\s+0$", "/proc/self/status"})
+		Expect(hostSeccomp.ExitCode()).To(Equal(0))
+
+		session := podmanTest.Podman([]string{"run", "--privileged", ALPINE, "grep", "-Ei", "^Seccomp:\\s+0$", "/proc/self/status"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+	})
+
 	It("podman non-privileged should have very few devices", func() {
 		session := podmanTest.Podman([]string{"run", "-t", "busybox", "ls", "-l", "/dev"})
 		session.WaitWithDefaultTimeout()